Apparmor conflicted with ntpd: apparmor=DENIED operation=capable
What is Apparmor?
Apparmor (short for Application Armor) is a security module that is built into the Linux kernel. It is a Mandatory Access Control (MAC) system that uses profiles to define the access permissions of applications. These profiles are loaded at boot time and are designed to restrict the access of applications to specific system resources such as files, directories, and network sockets.
Problem brief
Sometime, you’ll find the following logs in dmesg repeatly and frequently, it’s generally because the behavior of ntp service conflicts with apparmor.
apparmor=”DENIED” operation=”open” profile=”/usr/sbin/ntpd” name=”/etc/resolvconf/resolv.conf.d/head” pid= comm=”ntpd” requested_mask=”r” denied_mask=”r” fsuid= ouid=
This error message indicates that AppArmor is conflicting with ntpd, preventing it from functioning properly. In this blog post, we will discuss three possible solutions to this problem.
Check apparmor status
aa-status
## or
cat /sys/kernel/security/apparmor/profiles
output
...
/usr/sbin/ntpd (enforce)
...
Solution 1. Change apparmor rule (safer)
Could change the default apparmor control rule of ntpd, the default rule locates in /etc/apparmor.d/usr.sbin.ntpd.
systemctl restart apparmor.service
Solution 2. Disable ntp protect
Or, directly disable the protect/audit of ntpd from apparmor.
ln -s /etc/apparmor.d/usr.sbin.ntpd /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.ntpd
systemctl restart ntp.service
Conclusion
If you are encountering the “apparmor=DENIED operation=capable” error message when running ntpd, there are several possible solutions to the problem. Disabling AppArmor should only be used as a temporary fix, but modifying the AppArmor profiles or updating ntpd’s configuration can provide a more permanent solution. By following the steps outlined in this blog post, you should be able to resolve the AppArmor conflict with ntpd and get your system running smoothly again.